| CVE: CVE-2018-20125 |
| Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce] |
| |
| Signed-off-by: Kai Kang <kai.kang@windriver.com> |
| |
| From 2c858ce5da8ae6689c75182b73bc455a291cad41 Mon Sep 17 00:00:00 2001 |
| From: Prasad J Pandit <pjp@fedoraproject.org> |
| Date: Thu, 13 Dec 2018 01:00:36 +0530 |
| Subject: [PATCH] pvrdma: check number of pages when creating rings |
| |
| When creating CQ/QP rings, an object can have up to |
| PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter |
| to avoid excessive memory allocation or a null dereference. |
| |
| Reported-by: Li Qiang <liq3ea@163.com> |
| Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> |
| Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> |
| Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> |
| --- |
| hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++ |
| 1 file changed, 11 insertions(+) |
| |
| diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c |
| index 3b94545761..f236ac4795 100644 |
| --- a/hw/rdma/vmw/pvrdma_cmd.c |
| +++ b/hw/rdma/vmw/pvrdma_cmd.c |
| @@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring, |
| int rc = -EINVAL; |
| char ring_name[MAX_RING_NAME_SZ]; |
| |
| + if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) { |
| + pr_dbg("invalid nchunks: %d\n", nchunks); |
| + return rc; |
| + } |
| + |
| pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); |
| dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); |
| if (!dir) { |
| @@ -372,6 +377,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma, |
| char ring_name[MAX_RING_NAME_SZ]; |
| uint32_t wqe_sz; |
| |
| + if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES |
| + || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) { |
| + pr_dbg("invalid pages: %d, %d\n", spages, rpages); |
| + return rc; |
| + } |
| + |
| pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); |
| dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); |
| if (!dir) { |
| -- |
| 2.20.1 |
| |